Windows Recall sounds like a privacy nightmare – here’s why I’m worried
Screenshotting everything you do and feeding it into an AI model could be a recipe for disaster
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
When I first heard about Recall, I immediately buried my face in my hands. I never thought I’d see such a glaring target be created byMicrosoft, never mind it being marketed as afeature.
If you haven’t read about it yet,Recall is an AI feature coming to Windows 11Copilot+ PCs. It’s designed to let you go back in time on your computer by “taking images of your active screen every few seconds” and analyzing them with AI, according toMicrosoft’s Recall FAQs. If anyone other than you gets access to that Recall data, it could be disastrous.
Satya Nadella says Windows PCs will have a photographic memory feature called Recall that will remember and understand everything you do on your computer by taking constant screenshots pic.twitter.com/Gubi4DGHcsMay 20, 2024
This might sound familiar, and that’s because it’s remarkably similar to the failed andshelved Timelinefeature back onWindows 10. However, unlike Timeline, Recall doesn’t just restore a version of your desktop files, it usesAIto take you back to that moment, even opening relevant apps.
What’s the problem with Windows Recall?
On the surface, thissoundslike a cool feature, but that paranoid privacy purist in the back of my mind is burying his face in a pillow and screaming. Imagine if almost everything you had done for the past three months was recorded for anyone with access to your computer to see. Well, if you use Recall, you won’t have to imagine.
That might seem like an overreaction, but let me explain: Recall istaking screenshotsevery few seconds and storing them on your device. Adding encryption into the mix, that’s an enormous amount of bloaty visual data that will showalmost everythingyou’ve been doing on your computer during that period.
As Microsoft explains, “The default allocation for Recall on a device with 256 GB will be 25 GB, which can store approximately 3 months of snapshots. You can increase the storage allocation for Recall in your PC Settings. Old snapshots will be deleted once you use your allocated storage, allowing new ones to be stored.”
This is worse than keylogging! Recall isn’t just recording what you type, it’s recording everything you’re doing, with photo evidence, every three seconds.
This is worse than keylogging!
I sayalmosteverything because Microsoft claims “Recall also does not take snapshots of certain kinds of content, including InPrivate web browsing sessions in Microsoft Edge. It treats material protected with digital rights management (DRM) similarly; like other Windows apps such as the Snipping Tool, Recall will not store DRM content.” That’s reassuring on the surface, but it’s still far too vague for anyone to actually have any faith in it.
Will this only work onMicrosoft Edge, or will it integrate with Chrome and Firefox too? If it only works with Edge, that feels like an egregious walling off of privacy for not using Microsoft’s unpopularweb browser.
But that’s just the tip of the iceberg. Microsoft openly admits that Recall will be taking screenshots of your passwords and private data:
“Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.”
So, what you could have here is something that stores your passwords, your information, your account details, etc, and that is visible to anyone on your profile. If you only have one profile for your device, that means everyone with access to that PC will be able to see your Recall data.
Arguably, the worst part about this is that it will be on by default once you activate your device. Microsoft states:
On by default
“On Copilot+ PCs powered by a Snapdragon® X Series processor, you will see the Recall taskbar icon after you first activate your device. You can use that icon to open Recall’s settings and make choices about what snapshots Recall collects and stores on your device.”
I think this is a bad idea. The decision should be made by the individual, and not by Windows. Having it immediately active just means that uninformed people may not be able to act upon this. In my eyes, it’s akin to cookie tracking – it can be just as invasive. All of this makes me wonder whether it may hit a snag withconsent under GDPR.
Is Microsoft making Recall secure?
In defense of Microsoft, I’d like it to be known that there was anattemptto make it secure. I don’t think it was a very good one, but there was an attempt.
Microsoft states that “Recall snapshots are kept on Copilot+ PCs themselves, on the local hard disk, and are protected using data encryption on your device and (if you haveWindows 11Pro or an enterpriseWindows 11SKU) BitLocker.” From the wording here, that looks like your snapshots will only be encrypted if you have Windows Pro or a business Windows code.
The omission of Windows Home users is horrifying. If thisisthe case, it leaves everyday people vulnerable if their devices are compromised. People shouldn’t have to pay a premium and upgrade to protect their privacy on anoperating systemthat’s snapshotting their screen every few seconds.
People shouldn’t have to pay a premium and upgrade to protect their privacy
The big question, though, is what kind of encryption is being used? I’ve been working withvirtual private network (VPN)encryption for a while now, and just because something is “encrypted” doesn’t mean it’s safe. In fact, with developments inquantum computing, encryption is under threat, and even thebest VPNservices are having to come up with quantum-secure encryption methods. We’ve already seen thatBitLocker can be cracked.
Another note in Microsoft’s favor is that the data is stored locally and encrypted, rather than it being uploaded to a cloud server for Microsoft to access.
“Recall screenshots are only linked to a specific user profile and Recall does not share them with other users, make them available for Microsoft to view, or use them for targeting advertisements.”
This means that, for now, Microsoft isn’t peeking behind the curtain. But that doesn’t guarantee that’ll be the case forever. If Microsoft can legally find a way to make money out of this tool, my guess is that they’ll try. For now, the push seems to be to persuade people to upgrade their OS.
If you’re one of those households that has different profiles for each person on the family PC, you can claw back a little bit of privacy.
“Screenshots are only available to the person whose profile was used to sign in to the device. If two people share a device with different profiles they will not be able to access each other’s screenshots. If they use the same profile to sign-in to the device then they will share a screenshot history. Otherwise, Recall screenshots are not available to other users or accessed by other applications or services.”
The problem is, that’s only helpful if you password-protect your profile, and if someone sets parental controls on your profile, thatcouldgive them a backdoor.
What are the security risks with Recall?
You’re probably thinking “so what?” So let me give you a few scenarios where this could be a problem:
There are so many problems that can arise just from someone accessing your Recall data. Using apassword managerwould become irrelevant if someone can see you typing in your master password, yourprivate messageswill be anything but, and there’s no point in deleting your search history because Microsoft is keeping the receipts!
How to protect your privacy with Windows Recall
There are a few ways you can protect your privacy from Windows Recall, but the obvious, and most effective one will be to disable it outright. As the saying goes “an ounce of prevention is worth a pound of cure.” You’re better off not having this stuff stored on your device in the first place.
If, however, you want to use Recall, you’re going to need to do the following:
Bottom line: Recall makes my skin crawl
Look, I’ve been a privacy advocate and researcher for years. I don’t like the idea of anything tracking what we do. Butthis… this is something else. The risk that comes with Recall, the sheer devastation it could causeif your device gets hacked, the idea that Microsoft may be walling off privacy behind what I can only describe as a paywall. It sickens me.
There is so much opportunity for misuse with this feature. Security cannot be understated. Privacy cannot be bolted on. Taking screenshots of my device from the second I activate my device shouldnotbe a default option. Put the user in control of their privacy, and put the decision in their hands.
All of this just pushes me into the privacy-loving flippers ofLinux.
You might also like
Andreas has been with TechRadar as Future PLC’s Editor-in-Chief of Tech Software since March 2023, supporting content and teams on VPNs, antivirus, and other cybersecurity tools. He’s previously written for and led content at ProPrivacy, Business2Community, and The Tech Report. After completing a Master of Research degree, Andreas fell in love with all things cybersecurity; combining his passions to help expose the prevalence of ad tech in the charity sector and raise awareness of digital privacy around the world.
Undermining your privacy? Session says no and leaves Australia
Are online dating and data privacy an incompatible match?
This super-cheap HP Victus 15 gaming laptop just dropped to its lowest price yet
